Hi everybody,
I’ve noticed that my installation of Avast connects to some adult site during the update process.
It seems to download some pictures from there, and I really cannot see the reason for doing that.
Thank you for your attention,
Frank
Hi everybody,
I’ve noticed that my installation of Avast connects to some adult site during the update process.
It seems to download some pictures from there, and I really cannot see the reason for doing that.
Thank you for your attention,
Frank
-= Where did you download your copy of avast…? Was it from an e-mail…?
Hi L’ arc
I got the installer from the official website and I’ve successfully used it for a long time, this is a recent issue as for what I’ve noticed.
Maybe my Avast has been hijacked / infected itself?
Thanks again,
Frank
Have you run any scans with Avast or other ?
Download these programs, HijackThis,run , choose, scan and save logfile, copy/paste the txt log
http://filehippo.com/download_hijackthis/
Download,install,updateand run ’ quick’ scans with MBAM and SAS, copy/paste the logs
http://filehippo.com/download_malwarebytes_anti_malware/
http://filehippo.com/download_superantispyware/
I don’t think that it is avast which is infected… maybe your browser was hijacked, maybe the hosts file compromised.
I suggest:
Thank you very much everybody for your pointers, I’ll check to see if I can solve the issue following your directions and I’ll get back here once I’ll be done with those steps.
Some additional information meanwhile: again during the update process, it says it is checking some files on my hard-disk, they are all called “.vbs” and they seem to be on the root folder of each partition - but I’ve checked and there are no such files - at least, Windows doesn’t show them even if I tell it to display hidden/system files.
Thanks again for your help,
cheers,
Frank
Whom is “it” here? avast update?
It does not call any .vbs file to update… seems really a malware behavior.
@ entu
One crucial thing not mentioned is your firewall ?
As this is an important part of your systems security - It should be capable of blocking unauthorised outbound Internet Connections.
Hi again everybody, some update.
I’ve run a complete scan with avast! (4.8 home edition). I’ve had to run it manually with the system already started, because I wasn’t able to find an option to schedule the scan at startup. Anyway, it didn’t find anything.
I’ve run avast antirootkit and no threat was found.
Then I’ve run MBAM and it found some files and some folders infected by backdoor.bot.
When it asked me what to do with those files and folders, I’ve told it to quarantine the files and to take no action against the folders - those folders contain several sub-folders filled with documents I need to keep.
I was unsure about what my actions could lead to, anyway, I’ve restarted the system as MBAM asked me to do and I rerun MBAM to check if those folders resulted still infected - that surprised me: those folders passed the check and no further infection was found.
By the way I have no idea how a folder could get infected - but I’m no expert, you can guess.
@ DavidR: my OS is WinXP SP2, the firewall is active and fully working - afaik.
I’ve just ran the avast update option and it still goes on displaying stuff like “confirm file: C:.vbs” (btw, “confirm file” is my translation of the Italian string “conferma file:”) also it still goes on connecting to those adult sites - btw, shall I remark the domain of that website here or somewhere else? it is always the same domain and the same addresses.
I’m going to try all the other steps given by Tech.
Thank you all again for your time and please excuse me for these step-by-step posts.
All the best,
Frank.
I suggest an installation from the scratch:
Thank for your new directions Tech, I’m going to follow them and I’ll get back here once I’ll be done.
I was thinking better… something is weird in your hosts file… follow steps I’ve posted before.
All right, I’m going to do the hosts check & restore stuff.
Whilst the windows XP firewall is usually good at keeping your ports stealthed (hidden) it provides no outbound protection and you should consider a third party firewall.
Any malware that manages to get past your defences will have free reign to connect to the internet to either download more of the same, pass your personal data (sensitive or otherwise, user names, passwords, keylogger retrieved data, etc.) or open a backdoor to your computer, so outbound protection is essential.
See http://www.matousec.com/projects/firewall-challenge/results.php.
Many forum users are using all of the above:
I’m not convinced a clean reinstall of avast will make the slightest difference, I would be happy to be proven wrong though.
You should post ALL logs from MBAM, and SAS and HJT,( which you have yet to run ) HJT takes 10 seconds, yet can tell a lot
Uhm, excuse me but I’m a bit confused.
First of all, let me tell one thing that maybe should be taken in account: I’m connecting to the Internet via a proxy server that accepts connections only on port #80.
For your information, this proxy is completely out of my reach - that is, I must keep it as it is, I have no hope to contact the maintainers and ask them to change any setting whatsoever, I already tried and they plainly replied me that their service is cheap and set into the stone, I must cope with that.
So then, I’ve set the proxy address in HostsMan’s settings, and when I tell it to update the hosts list it returns the following:
Checking for updates:
@ DavidR: I will check out those firewalls and I will set one of them up - but I’d like to solve this avast issue first. Or should I start by installing one of those firewalls first?
@ Micky77: I will post those logs (MBAM and HJT) but I fear I won’t be able to get SuperAntispyware (that’s SAS, that’s it?) - I cannot get that due to my proxy which for some obscure reason refuses to deliver me large executables.
Kudos to all of you for your precious time people, I’ll be back soon.
Proxy at port 80? Are you sure? This is the default http port…
Did you add the server address and the port number into avast proxy settings?
Of course I did, and everything worked fine for a long time - avast correctly updated itself every time.
I’ve just checked it right now again, the address and the port are still correctly set.
Everything on my system passes through that proxy (well, Firefox, Avast, FlashGet and a couple of other programs that need to get to the Internet) and everything works fine (except that “large executables” issue I mentioned before).
I’ve had a look to the MBAM log and I’m not posting it because it is plain useless - apart from the infected files/folders which report only the “Backdoor.bot” notice, everything else reads zero (no infected processes/modules/registry keys an so on)
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20.30.28, on 11/07/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmi\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\CACHEM~1\CachemanXP.exe
C:\Programmi\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\Programmi\File comuni\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmi\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\RunDll32.exe
C:\Programmi\Mozilla Firefox\firefox.exe
C:\Programmi\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = [guess numbers here ;-) : 80]
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Supporto di collegamento per Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\File comuni\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FLASHGET\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programmi\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Gears Helper - {E0FEFE40-FBF9-42AE-BA58-794CA7E3FB53} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FLASHGET\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\fgiebar.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Programmi\Creative\Sound Blaster\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SbUsb AudCtrl] RunDll32 sbusbdll.dll,RCMonitor
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO LOCALE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SERVIZIO DI RETE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Programmi\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: E&sporta in Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Programmi\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Scarica con FlashGet - C:\Programmi\FlashGet\jc_link.htm
O8 - Extra context menu item: Scarica tutto con FlashGet - C:\Programmi\FlashGet\jc_all.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmi\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra 'Tools' menuitem: &Impostazioni di Google Gears - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Programmi\Google\Google Gears\Internet Explorer\0.5.23.0\gears.dll
O9 - Extra button: Run WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra 'Tools' menuitem: Launch WinHTTrack - {36ECAF82-3300-8F84-092E-AFF36D6C7040} - C:\Programmi\WinHTTrack\WinHTTrackIEBar.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FLASHGET\flashget.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7977801F-1950-46BE-8985-64EF0270924F}: NameServer = 83.224.65.134
O18 - Protocol: jpip - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Programmi\LizardTech\Express View\expressview.dll
O18 - Protocol: sidlet - {B92DD248-E3D5-4A92-B311-C9B841681455} - C:\Programmi\LizardTech\Express View\expressview.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmi\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programmi\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: CachemanXP (CachemanXPService) - Outertech - C:\PROGRA~1\CACHEM~1\CachemanXP.exe
O23 - Service: Servizio di Google Update (gupdate) (gupdate) - Google Inc. - C:\Programmi\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Programmi\Google\Common\Google Updater\GoogleUpdaterService.exe
--
End of file - 6044 bytes
I’m going to wait for some while for any eventual reply, then I’ll try to reinstall avast from scratch.
Please let me know if the HostsMan report I’ve posted in my previous message is OK or not.
More to come, thanks again.
Please let me know if the HostsMan report I’ve posted in my previous message is OK or not.
No. It’s not ok. It should allow the updates, at least, the two firsts on the list and you need not only to update your host but replace it completely.
Do you have Windows Defender updated? It should monitor the hosts file… maybe an infection passed through it also.
Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: NormalYou're using Windows SP2 that has several security vunerablilities and Windows SP3 has been available for over a year that has perfomance enhancements and several Critical Security Updates so in IE go to Tools then Windows Update then download and install all updates.
Go to Control Center then Security Center then set it to Automatic Updates (Recommended) or at least Notify me about updates but do not download nor install them.
IE8 is now available and it has more security than IE6:
http://www.microsoft.com/windows/Internet-explorer/default.aspx
The Sun Java is way down level and has security exposures so go to Add/Remove Programs and un-install all Sun Java installs.
Get and install Java Runtime Environment:
http://filehippo.com/download_java_runtime
Run Secunia Online Software Inspector to see what other applications have vulnerabilities:
http://secunia.com/vulnerability_scanning/online